USN-8064-1

Details

Eliot Horowitz discovered that MongoDB may fail to validate some instances of malformed BSON. A remote attacker could possibly use this issue to cause MongoDB to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-1609)

It was discovered that MongoDB read raw permissions from .dbshell history files. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6494)

Travis Brown discovered that MongoDB may be unable to parse specially crafted UTF-8 strings in BSON requests. A remote attacker could possibly use this issue to cause MongoDB to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-20802)

Affected Packages

mongodb

Ubuntu Pro 14.04 LTS

Fixed in:

1:2.4.9-1ubuntu2+esm2

mongodb

Ubuntu Pro 16.04 LTS

Fixed in:

1:2.6.10-0ubuntu1+esm2

mongodb

Ubuntu Pro 18.04 LTS

Fixed in:

1:3.6.3-0ubuntu1.4+esm1

References

REPORT

https://ubuntu.com/security/CVE-2018-20802

ADVISORY

https://ubuntu.com/security/notices/USN-8064-1